From: bert hubert <bert.hubert@netherlabs.nl>
Date: Fri, 1 Jul 2016 10:07:37 +0000 (+0200)
Subject: improve error message when validation of domain fails due to timeouts
X-Git-Tag: rec-4.0.0~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b25cae9a0c8254c73aa4a67fecab09aac7fe3d8c;p=thirdparty%2Fpdns.git

improve error message when validation of domain fails due to timeouts
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index d75e1fe37d..7a5e104a60 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -952,45 +952,53 @@ void startDoResolve(void *p)
 
       // Does the validation mode or query demand validation?
       if(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || (dc->d_mdp.d_header.ad && g_dnssecmode==DNSSECMode::Process)) {
-        if(sr.doLog()) {
-          L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;
-        }
-
-        auto state=validateRecords(ret);
-        if(state == Secure) {
-          if(sr.doLog()) {
-            L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates correctly"<<endl;
-          }
-
-          // Is the query source interested in the value of the ad-bit?
-          if (dc->d_mdp.d_header.ad)
-            pw.getHeader()->ad=1;
-        }
-        else if(state == Insecure) {
+        try {
           if(sr.doLog()) {
-            L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Insecure"<<endl;
-          }
-
-          pw.getHeader()->ad=0;
-        }
-        else if(state == Bogus) {
-          if(sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) {
-            L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Bogus"<<endl;
+            L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;
           }
-
-          // Does the query or validation mode sending out a SERVFAIL on validation errors?
-          if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || dc->d_mdp.d_header.ad)) {
+          
+          auto state=validateRecords(ret);
+          if(state == Secure) {
             if(sr.doLog()) {
-              L<<Logger::Warning<<"Sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" because recursor or query demands it for Bogus results"<<endl;
+              L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates correctly"<<endl;
             }
-
-            pw.getHeader()->rcode=RCode::ServFail;
-            goto sendit;
-          } else {
+            
+            // Is the query source interested in the value of the ad-bit?
+            if (dc->d_mdp.d_header.ad)
+              pw.getHeader()->ad=1;
+          }
+          else if(state == Insecure) {
             if(sr.doLog()) {
-              L<<Logger::Warning<<"Not sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" Bogus validation since neither config nor query demands this"<<endl;
+              L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Insecure"<<endl;
             }
+            
+            pw.getHeader()->ad=0;
           }
+          else if(state == Bogus) {
+            if(sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) {
+              L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Bogus"<<endl;
+            }
+            
+            // Does the query or validation mode sending out a SERVFAIL on validation errors?
+            if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || dc->d_mdp.d_header.ad)) {
+              if(sr.doLog()) {
+                L<<Logger::Warning<<"Sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" because recursor or query demands it for Bogus results"<<endl;
+              }
+              
+              pw.getHeader()->rcode=RCode::ServFail;
+              goto sendit;
+            } else {
+              if(sr.doLog()) {
+                L<<Logger::Warning<<"Not sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" Bogus validation since neither config nor query demands this"<<endl;
+              }
+            }
+          }
+        }
+        catch(ImmediateServFailException &e) {
+          if(g_logCommonErrors)
+            L<<Logger::Notice<<"Sending SERVFAIL to "<<dc->getRemote()<<" during validation of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
+          pw.getHeader()->rcode=RCode::ServFail;
+          goto sendit;
         }
       }